Securing SSL access to your website

The below instructions will demonstrate how to prevent access to your site if it has come from an unsecured connection.

We’ve provided a few examples below of how to detect and deny access if the page has not been accessed via SSL.

On Linux

On our Linux shared hosting accounts, the environment variable SSL will be set when the connection is SSL-secured.

Via .htaccess

On our Linux shared hosting accounts, you can restrict a directory to SSL-only access by putting the following commands in a .htaccess file. This will apply to all files within the directory, and all subdirectories:

&Order deny,allow
Deny from all
Allow from env=SSL

Any attempt to access this directory using http will be denied, but using SSL will be enabled.

PHP

To restrict access to an individual script, simply add the following lines to the top of your PHP file:

 You are not authorised to access this page.";
exit;
}
?>

On Windows

Any SSL connection to our windows shared hosting accounts will have the http header X-Forwarded-SSL set.

C#

You should make a class called SecurePage which inherits from your main page class (probably System.Web.UI.Page)

using System.Web;
public partial class SecurePage : System.Web.UI.Page
{
public SecurePage()
{
if (HttpContext.Current.Request.Headers["X-Forwarded-SSL"] == null)
{
HttpContext.Current.Response.StatusCode = 403;
HttpContext.Current.Response.StatusDescription = "Forbidden";
HttpContext.Current.Response.Output.WriteLine("<h2>You are not authorised to access this page.</h2>");
HttpContext.Current.Response.End();
}
}
}

Any attempt to access this page produces output:

You are not authorised to access this page.

Related Support Material:

  1. How do I password protect my site? (.htaccess)
  2. Shared SSL on 123 Reg Shared Hosting
  3. Basic Linux Commands
  4. Common HTTP errors
  5. Self Diagnosis Alert – Index Page – Linux Hosting
  6. What are the file limitations or maximum disk space available on my server?